New Relic interactive application security testing (IAST)

If you don't see your application in one.newrelic.com > All capabilities > IAST > Applications > Tested applications, it could be due to:

• an incorrect version of the APM agent. Check the version of your APM agent and upgrade it if needed.
• IAST flags being disabled. Check the security configuration, and make sure that IAST flags are enabled for your security agent.
• an unexpected error. To see what went wrong, go to the nr-security-home/logs directory and find the [SETP-8] line in the LANGUAGE-security-collector-init.log file.
• lack of traffic on the application. Generate some traffic to allow IAST to test your application.

When the security agent is working correctly:

• You see your application in one.newrelic.com > All capabilities > IAST > Applications > Tested applications.

• You see coverage for the application in one.newrelic.com > All capabilities > IAST > Applications. Select your application and then, the coverage tab.

• You see the message Security Agent is now ACTIVE in the security agent log file nr-security-home/logs/LANGUAGE-security-collector.log. Replace LANGUAGE in the filename with the one you used.

• You get the OK value for Service stats -> agentActiveStat in the latest log file in nr-security-home/logs/snapshots/.

• In the nr-security-home/logs directory, search for the LANGUAGE-security-collector-init.log file. Replace LANGUAGE in the filename with the one you used, and make sure you see these steps:

  • [STEP-1]: The security agent is starting.
  • [STEP-2]: The security agent generates a unique identifier. For web socket connection, you'll see Node auth headers.
  • [STEP-3]: The security agent gathers information about your application.
  • [STEP-4]: The web socket connection to SaaS validator is established successfully.
  • [STEP-5]: The security agent threads are started.
  • [STEP-6]: The application instrumentation is successful.
  • [STEP-7]: The application receives and applies your policies and configuration.
  • [STEP-8]: You see a first event sent for validation, which means the security agent started successfully.

  Here's an excerpt of a security agent log file LANGUAGE-security-collector-init.log:

  Init Log File initiated.
  Init Logger configured successfully with level: INFO and rollover on max size 52428800.
  2023-05-26 10:45:02 :  [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-1] => Security agent is starting
  2023-05-26 10:45:02 :  [8] [New Relic RPM Connection Service] INFO : com.newrelic.agent.security.AgentInfo - [STEP-2] => Generating unique identifier: 8a6d79c3-ad67-35d6-b811-17f7515b7f29
  2023-05-26 10:45:02 :  [8] [New Relic RPM Connection Service] INFO : com.newrelic.api.agent.security.Agent - [STEP-3] => Gathering information about the application

  Copy

Currently, IAST shows findings only, so you need to go see if your applications has any vulnerabilities.

Go to one.newrelic.com > All capabilities > IAST > Applications > Tested applications, click on the application and then, click on the Application coverage tab to view the application testing efficiency, APIs covered, and methods calls, amongst other data.

If you see your application in New Relic and the security agent successfully started IAST, but you don't see vulnerabilities in one.newrelic.com > All capabilities > IAST, then this could be due to:

• Your Application testing efficiency being low. You can check the level of efficiency in one.newrelic.com > All capabilities > IAST > Coverage. Add additional test cases to your application to get a higher level of testing efficiency.

• Your application being secure. In this case, your Application testing efficiency in one.newrelic.com > All capabilities > IAST > Coverage is high, but no vulnerabilities are detected.

• Your web socket connection being broken. Please check the latest log file in your nr-security-home/logs/snapshots/ folder, and look for the Service stats -> websocket line. The expected value is OK.

• Your application's framework or vulnerability category not being supported. See the supported frameworkd for the security agents:

  • Java
  • Node.js
  • Go

  If you're still not sure why you don't see vulnerabilities in IAST, share your application's configuration and logs with our support team.

It's possible that your application shows high traffic and latency for some time as part of IAST. This should resolve in a few minutes when the IAST test is completed.

You can also check the snapshot log file in the nr-security-home/logs/snapshots folder. The log file shows you the status of the security agent, resource usage, and the last five errors.

If your application has the functionality to create files and directories as part of serving an HTTP request, IAST will try to test the code path and hence, create such files and directories. The files, that are created by the application code under the influence of incoming HTTP requests, can't be deleted by the agent.

If you're sure that none of your APIs can create files and directories, share your application's configuration and logs with our support team.

As a part of IAST, the security agent sends new requests to the application that increases the load, resulting in an increase of resource utilization. This IAST analysis can also expose uncaught errors or exceptions in your application.

If the application has crashed due to lack of resources, increase the resources, restart the application, and perform IAST again.

For Golang, make sure that you imported the required instrumentation packages for the libraries and frameworks that your application uses.

For instance, let's suppose that your application is using this library: https://github.com/robertkrimen/otto.

For this specific library, you need to import the following instrumentation package: https://github.com/newrelic/csec-go-agent/instrumentation/csec_robertkrimen_otto.

Currently, we don't fully support Windows, so some vulnerabilities won't be detected.